1 /* 2 ** The Sleuth Kit 3 ** 4 ** Brian Carrier [carrier <at> sleuthkit [dot] org] 5 ** Copyright (c) 2003-2009 Brian Carrier. All rights reserved 6 ** 7 ** TASK 8 ** Copyright (c) 2002 @stake Inc. All rights reserved 9 ** 10 ** This software is distributed under the Common Public License 1.0 11 */ 12 13 /* 14 * Contains the structures and function APIs for NTFS file system support. 15 */ 16 17 18 #ifndef _TSK_NTFS_H 19 #define _TSK_NTFS_H 20 21 #ifdef __cplusplus 22 extern "C" { 23 #endif 24 25 26 // the SID code has been buggy on some systems and byitself it does 27 // not provide much security info. It is being disabled until fixed. 28 #define TSK_USE_SID 1 29 30 //#define NTFS_FS_MAGIC 0x5346544E /* "NTFS" in little endian */ 31 #define NTFS_FS_MAGIC 0xAA55 32 33 #define NTFS_MAXNAMLEN 256 34 #define NTFS_MAXNAMLEN_UTF8 4 * NTFS_MAXNAMLEN 35 36 /* location of the Root Directory inode */ 37 #define NTFS_ROOTINO NTFS_MFT_ROOT 38 #define NTFS_FIRSTINO 0 /* location of the $Mft Record */ 39 #define NTFS_LAST_DEFAULT_INO 16 /* A guess for right now */ 40 41 #define NTFS_FILE_CONTENT_LEN 0 42 43 /* uncompression values */ 44 #define NTFS_TOKEN_MASK 1 45 #define NTFS_SYMBOL_TOKEN 0 46 #define NTFS_TOKEN_LENGTH 8 47 /* (64 * 1024) = 65536 */ 48 #define NTFS_MAX_UNCOMPRESSION_BUFFER_SIZE 65536 49 50 51 52 /************************************************************************ 53 * Update sequence structure. This is located at upd_off from the 54 * begining of the original structure 55 */ 56 typedef struct { 57 uint8_t upd_val[2]; // what they should be 58 uint8_t upd_seq; // array of size 2*(upd_cnt-1) w/orig vals 59 } ntfs_upd; 60 61 62 /************************************************************************ 63 * bootsector 64 * 65 * located in sector 0 in $Boot 66 */ 67 typedef struct { 68 uint8_t f1[3]; // 0 69 char oemname[8]; // 3 70 uint8_t ssize[2]; // 11 /* sector size in bytes */ 71 uint8_t csize; // 13 /* sectors per cluster */ 72 uint8_t f2[26]; // 14 73 uint8_t vol_size_s[8]; // 40 /*size of volume in sectors */ 74 uint8_t mft_clust[8]; // 48 /* location of MFT */ 75 uint8_t mftm_clust[8]; // 56 /* location of MFT mirror */ 76 int8_t mft_rsize_c; // 64 /* number of clusters per mft record */ 77 uint8_t f3[3]; 78 int8_t idx_rsize_c; // 68 /* number of clus per idx rec */ 79 uint8_t f4[3]; 80 uint8_t serial[8]; // 72 /* serial number */ 81 uint8_t f5[430]; //80 82 uint8_t magic[2]; 83 } ntfs_sb; 84 85 86 87 /************************************************************************ 88 * MFT Entry 89 * 90 * One entry in the MFT - there exists one for each file 91 */ 92 typedef struct { 93 uint8_t magic[4]; 94 uint8_t upd_off[2]; // 4 95 uint8_t upd_cnt[2]; // 6 size+1 96 uint8_t lsn[8]; // 8 $LogFile Sequence Number 97 uint8_t seq[2]; // 16 98 uint8_t link[2]; // 18 99 uint8_t attr_off[2]; // 20 100 uint8_t flags[2]; // 22 101 uint8_t size[4]; // 24 102 uint8_t alloc_size[4]; //28 103 uint8_t base_ref[6]; // 32 104 uint8_t base_seq[2]; // 38 105 uint8_t next_attrid[2]; // 40 The next id to be assigned 106 uint8_t f1[2]; // XP Only 107 uint8_t entry[4]; // XP Only - Number of this entry 108 } ntfs_mft; 109 110 /* Magic values for each MFT entry */ 111 #define NTFS_MFT_MAGIC 0x454c4946 112 #define NTFS_MFT_MAGIC_BAAD 0x44414142 113 #define NTFS_MFT_MAGIC_ZERO 0x00000000 114 115 /* MFT entry flags */ 116 #define NTFS_MFT_INUSE 0x0001 117 #define NTFS_MFT_DIR 0x0002 118 119 /* flags for file_ref */ 120 #define NTFS_MFT_BASE 0 /* set when the base file record */ 121 /* Mask when not zero, which indicates the base file record */ 122 #define NTFS_MFT_FILE_REC 0x00ffffffffffffff 123 124 /* DEFINED MFT entries - file system metadata files */ 125 #define NTFS_MFT_MFT 0x0 126 #define NTFS_MFT_MFTMIR 0x1 127 #define NTFS_MFT_LOG 0x2 128 #define NTFS_MFT_VOL 0x3 129 #define NTFS_MFT_ATTR 0x4 130 #define NTFS_MFT_ROOT 0x5 131 #define NTFS_MFT_BMAP 0x6 132 #define NTFS_MFT_BOOT 0x7 133 #define NTFS_MFT_BAD 0x8 134 //#define NTFS_MFT_QUOT 0x9 135 #define NTFS_MFT_SECURE 0x9 136 #define NTFS_MFT_UPCASE 0xA 137 138 139 140 /************************************************************************ 141 * Attribute Header for resident and non-resident attributes 142 */ 143 typedef struct { 144 uint8_t type[4]; 145 uint8_t len[4]; // 4 - length including header 146 uint8_t res; // 8 - resident flag 147 uint8_t nlen; // 9 - name length 148 uint8_t name_off[2]; // 10 - offset to name 149 uint8_t flags[2]; // 12 150 uint8_t id[2]; // 14 - unique identifier 151 152 union { 153 /* Resident Values */ 154 struct { 155 uint8_t ssize[4]; // 16 - size of content 156 uint8_t soff[2]; // 20 - offset to content (after name) 157 uint8_t idxflag[2]; // 22 - indexed flag 158 } r; 159 /* Non-resident Values */ 160 struct { 161 uint8_t start_vcn[8]; // 16 - starting VCN of this attribute 162 uint8_t last_vcn[8]; // 24 163 uint8_t run_off[2]; // 32 - offset to the data runs (after name) 164 uint8_t compusize[2]; // 34 - compression unit size (2^x) 165 uint8_t f1[4]; // 36 166 uint8_t alen[8]; // 40 allocated size of stream 167 uint8_t ssize[8]; // 48 actual size of stream 168 uint8_t initsize[8]; // 56 initialized steam size 169 } nr; 170 } c; 171 } ntfs_attr; 172 173 /* values for the res field */ 174 #define NTFS_MFT_RES 0 /* resident */ 175 #define NTFS_MFT_NONRES 1 /* non-resident */ 176 177 178 /* Values for flag field 179 * should only exist for $DATA attributes */ 180 #define NTFS_ATTR_FLAG_COMP 0x0001 /* compressed */ 181 #define NTFS_ATTR_FLAG_ENC 0x4000 /* encrypted */ 182 #define NTFS_ATTR_FLAG_SPAR 0x8000 /* sparse */ 183 184 185 186 /* values for the type field */ 187 /* NOTE that the default TSK attribute types are based on these. 188 * Any changes to these should be merged with the defines in tsk_fs.h */ 189 #define NTFS_ATYPE_SI 0x10 // 16 190 #define NTFS_ATYPE_ATTRLIST 0x20 // 32 191 #define NTFS_ATYPE_FNAME 0x30 // 48 192 #define NTFS_ATYPE_VVER 0x40 // 64 (NT) 193 #define NTFS_ATYPE_OBJID 0x40 // 64 (2K) 194 #define NTFS_ATYPE_SEC 0x50 // 80 195 #define NTFS_ATYPE_VNAME 0x60 // 96 196 #define NTFS_ATYPE_VINFO 0x70 // 112 197 #define NTFS_ATYPE_DATA 0x80 // 128 198 #define NTFS_ATYPE_IDXROOT 0x90 // 144 199 #define NTFS_ATYPE_IDXALLOC 0xA0 // 160 200 #define NTFS_ATYPE_BITMAP 0xB0 // 176 201 #define NTFS_ATYPE_SYMLNK 0xC0 // 192 (NT) 202 #define NTFS_ATYPE_REPARSE 0xC0 // 192 (2K) 203 #define NTFS_ATYPE_EAINFO 0xD0 // 208 204 #define NTFS_ATYPE_EA 0xE0 // 224 205 #define NTFS_ATYPE_PROP 0xF0 // (NT) 206 #define NTFS_ATYPE_LOG 0x100 // (2K) 207 208 209 210 211 /************************************************************************ 212 * File Name Attribute 213 */ 214 typedef struct { 215 uint8_t par_ref[6]; /* file reference to base File Record of parent */ 216 uint8_t par_seq[2]; /* seq num to base File Record of parent */ 217 uint8_t crtime[8]; /* file creation */ 218 uint8_t mtime[8]; /* file altered */ 219 uint8_t ctime[8]; /* mod time for FILE record (MFT Entry) */ 220 uint8_t atime[8]; /* access time */ 221 uint8_t alloc_fsize[8]; 222 uint8_t real_fsize[8]; 223 uint8_t flags[8]; 224 uint8_t nlen; /* length of file name */ 225 uint8_t nspace; 226 uint8_t name; /* in unicode */ 227 } ntfs_attr_fname; 228 229 /* values for the flags field of attr_fname */ 230 #define NTFS_FNAME_FLAGS_RO 0x0000000000000001 231 #define NTFS_FNAME_FLAGS_HID 0x0000000000000002 232 #define NTFS_FNAME_FLAGS_SYS 0x0000000000000004 233 #define NTFS_FNAME_FLAGS_ARCH 0x0000000000000020 234 #define NTFS_FNAME_FLAGS_DEV 0x0000000000000040 235 #define NTFS_FNAME_FLAGS_NORM 0x0000000000000080 236 #define NTFS_FNAME_FLAGS_TEMP 0x0000000000000100 237 #define NTFS_FNAME_FLAGS_SPAR 0x0000000000000200 238 #define NTFS_FNAME_FLAGS_REP 0x0000000000000400 239 #define NTFS_FNAME_FLAGS_COMP 0x0000000000000800 240 #define NTFS_FNAME_FLAGS_OFF 0x0000000000001000 241 #define NTFS_FNAME_FLAGS_NOIDX 0x0000000000002000 242 #define NTFS_FNAME_FLAGS_ENC 0x0000000000004000 243 #define NTFS_FNAME_FLAGS_DIR 0x0000000010000000 244 #define NTFS_FNAME_FLAGS_IDXVIEW 0x0000000020000000 245 246 247 /* values for the name space values of nspace */ 248 #define NTFS_FNAME_POSIX 0 /* case sensitive and any but NULL and \ */ 249 #define NTFS_FNAME_WIN32 1 // insensitive and restricted 250 #define NTFS_FNAME_DOS 2 // 8.3 format of 8-bit chars in uppercase 251 #define NTFS_FNAME_WINDOS 3 // name in WIN32 space that is already DOS 252 253 254 255 256 /************************************************************************ 257 * Standard Information Attribute 258 */ 259 typedef struct { 260 uint8_t crtime[8]; /* creation date */ 261 uint8_t mtime[8]; /* file altered */ 262 uint8_t ctime[8]; /* MFT Changed */ 263 uint8_t atime[8]; /* last access (read) */ 264 uint8_t dos[4]; /* permissions in DOS Format */ 265 uint8_t maxver[4]; 266 uint8_t ver[4]; 267 uint8_t class_id[4]; 268 uint8_t own_id[4]; 269 uint8_t sec_id[4]; 270 uint8_t quota[8]; 271 uint8_t usn[8]; 272 } ntfs_attr_si; 273 274 275 /* DOS Flags values */ 276 #define NTFS_SI_RO 0x0001 277 #define NTFS_SI_HID 0x0002 278 #define NTFS_SI_SYS 0x0004 279 #define NTFS_SI_ARCH 0x0020 280 #define NTFS_SI_DEV 0x0040 281 #define NTFS_SI_NORM 0x0080 282 #define NTFS_SI_TEMP 0x0100 283 #define NTFS_SI_SPAR 0x0200 284 #define NTFS_SI_REP 0x0400 285 #define NTFS_SI_COMP 0x0800 286 #define NTFS_SI_OFF 0x1000 287 #define NTFS_SI_NOIDX 0x2000 288 #define NTFS_SI_ENC 0x4000 289 290 291 292 /************************************************************************ 293 * Volume Info Attribute 294 */ 295 typedef struct { 296 uint8_t f1[8]; 297 uint8_t maj_ver; 298 uint8_t min_ver; 299 uint8_t flags[2]; 300 uint8_t f2[4]; 301 } ntfs_attr_vinfo; 302 303 #define NTFS_VINFO_DIRTY 0x0001 // Dirty 304 #define NTFS_VINFO_RESLOG 0x0002 // Resize LogFile 305 #define NTFS_VINFO_UPGRAD 0x0004 // Upgrade on Mount 306 #define NTFS_VINFO_MNTNT4 0x0008 // Mounted on NT4 307 #define NTFS_VINFO_DELUSN 0x0010 // Delete USN Underway 308 #define NTFS_VINFO_REPOBJ 0x0020 // Repair Object Ids 309 #define NTFS_VINFO_MODCHK 0x8000 // Modified by chkdsk 310 311 /* versions 312 * NT = Maj=1 Min=2 313 * 2k = Maj=3 Min=0 314 * xp = Maj=3 Min=1 315 */ 316 317 #define NTFS_VINFO_NT 0x21 318 #define NTFS_VINFO_2K 0x03 319 #define NTFS_VINFO_XP 0x13 320 321 322 323 324 /************************************************************************ 325 * attribute list 326 */ 327 typedef struct { 328 uint8_t type[4]; // Attribute Type 329 uint8_t len[2]; // length of entry 330 uint8_t nlen; // number of chars in name 331 uint8_t f1; // 7 332 uint8_t start_vcn[8]; // starting VCN or NTFS_ATTRL_RES 333 uint8_t file_ref[6]; // file reference to new MFT entry 334 uint8_t seq[2]; // 22 335 uint8_t id[2]; // id (also in the attribute header) 336 uint8_t name; // 26 name in unicode 337 } ntfs_attrlist; 338 339 #define NTFS_ATTRL_RES 0 340 341 342 343 344 /************************************************************************ 345 * runlist 346 * 347 * Used to store the non-resident runs for an attribute. 348 * It is located in the MFT and pointed to by the run_off in the header 349 */ 350 351 typedef struct { 352 /* lsb 4 bits: num of bytes in run length field 353 * msb 4 bits: num of bytes in run offset field - (LCN) 354 */ 355 uint8_t len; 356 uint8_t buf[32]; 357 } ntfs_runlist; 358 359 #define NTFS_RUNL_LENSZ(runl) \ 360 (uint8_t)(runl->len & 0x0f) 361 362 #define NTFS_RUNL_OFFSZ(runl) \ 363 (uint8_t)((runl->len & 0xf0) >> 4) 364 365 366 /************************************************************************ 367 * Index root for directories 368 * 369 * the attribute has two parts. The header is general to all index entries 370 * and applies to $IDX_ALLOC as well. The buffer part contains the 371 * index entries that are allocated to $IDX_ROOT. 372 * 373 */ 374 375 /* 376 * Starting at begin_off is a stream of ntfs_idxentry structures 377 */ 378 typedef struct { 379 uint8_t begin_off[4]; /* offset to start of seq of idx entries */ 380 uint8_t seqend_off[4]; /* offset to end of seq of idx entries */ 381 uint8_t bufend_off[4]; /* offset to end of idx buffer */ 382 uint8_t flags[4]; 383 } ntfs_idxelist; 384 385 /* value for flags */ 386 #define NTFS_IDXELIST_CHILD 0x1 /* children exist below this node */ 387 388 389 390 /* This is general index information and applies to $IDX_ALLOC as well */ 391 typedef struct { 392 uint8_t type[4]; /* ATYPE that tree is sorted by */ 393 uint8_t collation_rule[4]; 394 uint8_t idxalloc_size_b[4]; /* index alloc size in bytes */ 395 uint8_t idx_size_c; /* index alloc size in clusters */ 396 uint8_t pad[3]; 397 ntfs_idxelist list; 398 } ntfs_idxroot; 399 400 401 402 /************************************************************************ 403 * idxrec 404 * 405 * this is structure for the nodes of the B+ index trees 406 * It contains a list of index entry data structures. Each 407 * buffer corresponds to one node. The $IDX_ALLOC attribute 408 * is an array of these data structures 409 */ 410 411 412 typedef struct { 413 uint8_t magic[4]; /* INDX */ 414 uint8_t upd_off[2]; 415 uint8_t upd_cnt[2]; /* size + 1 */ 416 uint8_t lsn[8]; /* $LogFile Sequence Number */ 417 uint8_t idx_vcn[8]; /* vcn in idx alloc attr */ 418 ntfs_idxelist list; 419 } ntfs_idxrec; 420 421 422 #define NTFS_IDXREC_MAGIC 0x58444e49 /* INDX */ 423 424 425 426 /************************************************************************ 427 * This structure exists for each file and directory in the tree */ 428 typedef struct { 429 uint8_t file_ref[6]; /* file reference (invalid for last entry) */ 430 uint8_t seq_num[2]; /* file reference (invalid for last entry) */ 431 uint8_t idxlen[2]; /* length of the index entry */ 432 uint8_t strlen[2]; /* length of stream */ 433 uint8_t flags; 434 uint8_t f1[3]; 435 uint8_t stream; /* length of strlen - invalid for last entry */ 436 /* loc of subnode is found in last 8-bytes 437 * of idx entry (idxlen - 8). use macro 438 */ 439 } ntfs_idxentry; 440 441 #define NTFS_IDX_SUB 0x01 /* Entry points to a sub-node */ 442 #define NTFS_IDX_LAST 0x02 /* last indx entry in the node */ 443 444 /* return the address of the subnode entry, it is located in the last 445 * 8 bytes of the structure 446 */ 447 #define GET_IDXENTRY_SUB(fs, e) \ 448 (tsk_getu64(fs->endian, (int)e + tsk_getu16(fs->endian, e->idxlen) - 8)) 449 450 451 452 /************************************************************************ 453 */ 454 455 typedef struct { 456 char label[128]; /* label in unicode */ 457 uint8_t type[4]; 458 uint8_t disp[4]; /* display rule */ 459 uint8_t coll[4]; /* collation rule */ 460 uint8_t flags[4]; 461 uint8_t minsize[8]; /* minimum size */ 462 uint8_t maxsize[8]; /* maximum size */ 463 } ntfs_attrdef; 464 465 #define NTFS_ATTRDEF_FLAGS_IDX 0x02 466 #define NTFS_ATTRDEF_FLAGS_RES 0x40 /* always resident */ 467 #define NTFS_ATTRDEF_FLAGS_NONRES 0x80 /* allowed to be non-resident */ 468 469 470 471 /************************************************************************ 472 * OBJECT_ID attribute 473 */ 474 475 typedef struct { 476 uint8_t objid1[8]; /* object id of file or directory */ 477 uint8_t objid2[8]; 478 uint8_t orig_volid1[8]; /* id of "birth" volume */ 479 uint8_t orig_volid2[8]; 480 uint8_t orig_objid1[8]; /* original object id */ 481 uint8_t orig_objid2[8]; 482 uint8_t orig_domid1[8]; /* id of "birth" domain */ 483 uint8_t orig_domid2[8]; 484 } ntfs_attr_objid; 485 486 487 #if TSK_USE_SID 488 489 /************************************************************************ 490 * Self-relative security descriptor 491 */ 492 493 typedef struct { 494 uint8_t revision; /* Revision level of the security descriptor. */ 495 uint8_t pad; 496 uint8_t control[2]; /* Flags qualifying the type of 497 the descriptor as well as the following fields. */ 498 499 uint8_t owner[4]; /* Byte offset to a SID representing an object's 500 owner. If this is NULL, no owner SID is present in 501 the descriptor. */ 502 503 uint8_t group[4]; /* Byte offset to a SID representing an object's 504 primary group. If this is NULL, no primary group 505 SID is present in the descriptor. */ 506 507 uint8_t sacl[4]; /* Byte offset to a system ACL. Only valid, if 508 SE_SACL_PRESENT is set in the control field. If 509 SE_SACL_PRESENT is set but sacl is NULL, a NULL ACL 510 is specified. */ 511 512 uint8_t dacl[4]; /* Byte offset to a discretionary ACL. Only valid, if 513 SE_DACL_PRESENT is set in the control field. If 514 SE_DACL_PRESENT is set but dacl is NULL, a NULL ACL 515 (unconditionally granting access) is specified. */ 516 517 } ntfs_self_relative_security_descriptor; 518 519 520 521 522 /************************************************************************ 523 * Structure used in Security Descriptor lookups 524 */ 525 typedef struct { 526 char *buffer; 527 size_t size; 528 size_t used; 529 } NTFS_SXX_BUFFER; 530 531 532 533 /************************************************************************ 534 * SID attribute 535 */ 536 537 typedef struct { 538 uint8_t revision; /* Revision */ 539 uint8_t sub_auth_count; /* Sub Authority Count */ 540 uint8_t ident_auth[6]; /* NT Authority ::NOTE:: big endian number */ 541 uint32_t sub_auth[1]; /* At least one sub_auth */ 542 } ntfs_sid; 543 544 545 546 /************************************************************************ 547 * SDS attribute 548 */ 549 550 typedef struct { 551 uint8_t hash_sec_desc[4]; /* Hash of Security Descriptor */ 552 uint8_t sec_id[4]; /* Security ID */ 553 uint8_t file_off[8]; /* Offset of this entry in this file */ 554 uint8_t ent_size[4]; /* Size of this entry */ 555 ntfs_self_relative_security_descriptor self_rel_sec_desc; /* Self-relative Security Descriptor */ 556 } ntfs_attr_sds; 557 558 559 /************************************************************************ 560 * SDH attribute 561 */ 562 563 564 typedef struct { 565 uint8_t data_off[2]; /* Offset to data */ 566 uint8_t size[2]; /* Size of data */ 567 uint8_t pad1[4]; /* Padding */ 568 uint8_t ent_size[2]; /* Size of Index Entry */ 569 uint8_t key_size[2]; /* Size of Index Key */ 570 uint8_t flags[2]; /* Flags */ 571 uint8_t pad2[2]; /* Padding */ 572 uint8_t key_hash_sec_desc[4]; /* Hash of Security Descriptor */ 573 uint8_t key_sec_id[4]; /* Security ID */ 574 uint8_t data_hash_sec_desc[4]; /* Hash of Security Descriptor */ 575 uint8_t data_sec_id[4]; /* Security ID */ 576 uint8_t sec_desc_off[8]; /* Offset to Security Descriptor (in $SDS) */ 577 uint8_t sec_desc_size[4]; /* Size of Security Descriptor (in $SDS) */ 578 uint8_t pad3[4]; /* Padding */ 579 } ntfs_attr_sdh; 580 581 582 /************************************************************************ 583 * SII attribute 584 */ 585 586 typedef struct { 587 uint8_t data_off[2]; /* Offset to data */ 588 uint8_t size[2]; /* Size of data */ 589 uint8_t pad1[4]; /* Padding */ 590 uint8_t ent_size[2]; /* Size of Index Entry */ 591 uint8_t key_size[2]; /* Size of Index Key */ 592 uint8_t flags[2]; /* Flags */ 593 uint8_t pad2[2]; /* Padding */ 594 uint8_t key_sec_id[4]; /* Security ID */ 595 uint8_t data_hash_sec_desc[4]; /* Hash of Security Descriptor */ 596 uint8_t data_sec_id[4]; /* Security ID */ 597 uint8_t sec_desc_off[8]; /* Offset to Security Descriptor (in $SDS) */ 598 uint8_t sec_desc_size[4]; /* Size of Security Descriptor (in $SDS) */ 599 600 } ntfs_attr_sii; 601 602 603 #endif 604 605 606 typedef struct NTFS_PAR_MAP NTFS_PAR_MAP; 607 struct NTFS_PAR_MAP { 608 TSK_INUM_T par_addr; // parent dir address this structure is for 609 NTFS_PAR_MAP *next; // pointer to next structure in list 610 int alloc_cnt; // number of allocated INUM_T structures in addr 611 int used_cnt; // number of used entries in addr 612 TSK_INUM_T *addrs; // array for address of unallocated files in this dir 613 }; 614 615 616 /************************************************************************ 617 */ 618 typedef struct { 619 TSK_FS_INFO fs_info; /* super class */ 620 ntfs_sb *fs; 621 uint8_t ver; /* version of NTFS - uses the VINFO flag */ 622 TSK_FS_FILE *mft_file; /* contains the data for the mft entry for the mft */ 623 const TSK_FS_ATTR *mft_data; /* Data run for MFT entry for MFT */ 624 ntfs_mft *mft; /* cache for on-disk inode */ 625 TSK_INUM_T mnum; /* number of above cached mft */ 626 uint32_t csize_b; /* number of bytes in a cluster */ 627 uint16_t ssize_b; /* number of bytes in a sector */ 628 uint32_t mft_rsize_b; /* number of bytes per mft record */ 629 uint32_t idx_rsize_b; /* number of bytes per idx record */ 630 TSK_DADDR_T root_mft_addr; /* address of first mft entry */ 631 632 uint8_t loading_the_MFT; /* set to 1 when initializing the setup */ 633 634 TSK_FS_ATTR_RUN *bmap; /* Run of bitmap for clusters (linked list) */ 635 char *bmap_buf; /* buffer to hold cached copy of bitmap */ 636 TSK_DADDR_T bmap_buf_off; /* offset cluster in cached bitmap */ 637 ntfs_attrdef *attrdef; // buffer of attrdef file contents 638 size_t attrdef_len; // length of addrdef buffer 639 NTFS_PAR_MAP *orphan_map; // map that lists par directory to its orphans. 640 641 #if TSK_USE_SID 642 NTFS_SXX_BUFFER sii_data; 643 NTFS_SXX_BUFFER sds_data; 644 #endif 645 } NTFS_INFO; 646 647 648 extern uint32_t nt2unixtime(uint64_t ntdate); 649 extern uint8_t ntfs_attrname_lookup(TSK_FS_INFO *, uint16_t, char *, 650 int); 651 extern TSK_RETVAL_ENUM 652 ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir, 653 TSK_INUM_T a_addr); 654 655 extern void ntfs_orphan_map_free(NTFS_INFO * a_ntfs); 656 657 extern int ntfs_name_cmp(TSK_FS_INFO *, const char *, const char *); 658 659 #ifdef __cplusplus 660 } 661 #endif 662 #endif 663